Phishing, a cybercrime, is the practice of sending fraudulent communications, disguised as emails from a legitimate sender to coax gullible customers into providing sensitive data like credit card information or login details or to click a link and download an attachment, leading to identity theft or financial loss. The procedure may vary but the agenda of the miscreants remains the same, to solicit personal data from the victim.
Phishing becomes all the more dangerous when the target is an organization, as the most important asset of the organization is also the most vulnerable: employee. Even the most vigilant employees are prone to security threats and in their naivety respond to phishing campaigns.
Origin and History
The practice of phishing dates back to the 1990s. One of the noteworthy incidents involved AOL (America Online), the leading provider of Internet access across the state at that time when hackers tried to trick AOL users into providing their login information. These early hackers and pirates, known as phreaks, were part of the warez community that relished stealing games, software, personal information and everything else they could get their hands on.
The term Phishing very cleverly uses ‘ph’ in the place of ‘f’ in fishing and is probably influenced by the term “phreaking,” short for “phone phreaking,” a slang term for hacking into secure telecommunication networks.
Over the years, the numbers, as well as the intensity of phishing frauds has risen considerably. According to a report by APWG, the count of unique phishing websites has increased by almost 74 percent between October 2017 and March 2018, and almost half of the reported phishing incidents were from websites with ‘.com’ domain.
Some of the most talked about phishing frauds:
- In 2009, Operation Phish Phry was the biggest international phishing case one had witnessed and the FBI arrested almost 100 people from the US and Europe for stealing $150 million, targeting hundreds of online users.
- In 2011, hackers attacked RSA, a security firm that had access to the networks for U.S. defense suppliers, when the company’s Adobe Flash was left unpatched.
- About 100 TB of data was stolen from Sony Pictures in 2014 by a tirade of phishing emails, which cost the company about $100 million.
- The year 2016 saw probably one of the most consequential phishing attacks when the hackers managed to get the Gmail password of Hillary Clinton’s campaign chair John Podesta.
Types of Phishing
The common denominator among phishing attacks is – disguise. The email addresses are spoofed to give an impression that the email is coming from a legitimate source; fake websites are set up to replicate trusted sites, while the URLs are disguised using foreign characters. They all work on the same principle – exploiting gullible humans and extracting their personal information.
Looking at all the ways in which hackers con people, phishing attacks are categorized into spear phishing, whaling, pharming, and clone phishing.
In spear phishing, fraudsters personalize their message to make it appealing for the recipient. They spoof the target’s name, sender email address, position, company, work phone number and other information to trick the recipient into believing the message is from a legitimate source.
Spear phishing is very common on social networking sites, where attackers not just research and identify their victim but also collect the information and use it to craft a targeted attack email.
Whaling is spear phishing aimed at big fishes – CEOs, board members, and other high-profile targets. Company board members are considered highly vulnerable and are the primary target of such frauds. While they have a great deal of authority within the organization, they are often guilty of using personal email addresses for business-related communication, which lacks security features of corporate email addresses.
Pharming involves redirecting the traffic of a website to another – fake website. These type of attacks do not involve clicking a malicious link that redirects the user to a bogus site; instead, the attackers infect either the user’s computer or the website’s DNS server. The victims are thus, redirected to a fake site even if they type in the correct URL.
In clone phishing, the attackers clone a legitimate message to trick the victim into believing it is real. However, they do change the link or the attachment in the email with a malicious link or attachment. The spoof message thus looks like a legitimate replica of the previous messages from the sender and provokes the recipient to click it.
How to Prevent Phishing
“Despite the continued investment, phishing emails continue to bypass perimeter technologies to reach employees’ inboxes every day,” said Rohyt Belani, co-founder and CEO of PhishMe.
There is no simpler way to combat the ever-rising phishing scams but to
- Educate the employees for they are estimated to be the root cause of more than 90 percent breaches, security awareness training can be of great help
- Check the spelling of the URLs in the emails before clicking or entering sensitive information. Only visit sites that precede with ‘HTTPS.’ If the URL precede with ‘HTTP’” instead of ‘HTTPS’ it is most probably illegitimate because the ‘s’ in HTTPS stands for secure
- Look out for URL redirects that take you to a different website with identical UI/UX
- On receiving an email from a trustworthy source, but it seems suspicious, double check with the source on a new email, rather than just hitting reply
- Never give out personal data, like your birthday, vacation plans, or your address or phone number publicly on social media
- Block pop up’s and allow them on a case-by-case basis. Even clicking on their ‘cancel’ button can direct you to a malicious site
- Install anti-phishing toolbars, anti-virus and keep your browsers up to date. Security patches are released for popular browsers all the time
Overall phishing is the simplest but the most dangerous way to fraud someone. Always remain careful and vigil about communications that don’t sound or look right. Remember there is no single foolproof way to avoid phishing attacks, vigilance is the only key to spot anything phishy.
That’s all from our end. Until next time!